openSUSE-SU-2019:2595

openSUSE-SU-2019:2597

https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html

This update for clamav fixes the following issues :

clamav was updated to the new major release 0.103.0.
(jsc#ECO-3010,bsc#1118459)

Note that libclamav was changed incompatible, if you have a 3rd party application that uses libclamav, it needs to be rebuilt.

Update to 0.103.0

  - clamd can now reload the signature database without     blocking scanning. This multi-threaded database reload     improvement was made possible thanks to a community     effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

  - Fix clamav-milter.service (requires clamd.service to     run)

Update to 0.102.4

  - CVE-2020-3350: Fix a vulnerability wherein a malicious     user could replace a scan target's directory with a     symlink to another path to trick clamscan, clamdscan, or     clamonacc into removing or moving a different file (eg.
    a critical system file). The issue would affect users     that use the --move or --remove options for clamscan,     clamdscan, and clamonacc.

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.3 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking results in an out-of-bounds read which could     cause a crash. The previous fix for this CVE in 0.102.3     was incomplete. This fix correctly resolves the issue.

  - CVE-2020-3481: Fix a vulnerability in the EGG archive     module in ClamAV 0.102.0 - 0.102.3 could cause a     Denial-of-Service (DoS) condition. Improper error     handling may result in a crash due to a NULL pointer     dereference. This vulnerability is mitigated for those     using the official ClamAV signature databases because     the file type signatures in daily.cvd will not enable     the EGG archive parser in versions affected by the     vulnerability.

Update to 0.102.3

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking of an unsigned variable results in an     out-of-bounds read which causes a crash.

  - CVE-2020-3341: Fix a vulnerability in the PDF parsing     module in ClamAV 0.101 - 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper size     checking of a buffer used to initialize AES decryption     routines results in an out-of-bounds read which may     cause a crash.

  - Fix 'Attempt to allocate 0 bytes' error when parsing     some PDF documents.

  - Fix a couple of minor memory leaks.

  - Updated libclamunrar to UnRAR 5.9.2.

Update to 0.102.2 :

  - CVE-2020-3123: A denial-of-service (DoS) condition may     occur when using the optional credit card     data-loss-prevention (DLP) feature. Improper bounds     checking of an unsigned variable resulted in an     out-of-bounds read, which causes a crash.

  - Significantly improved the scan speed of PDF files on     Windows.

  - Re-applied a fix to alleviate file access issues when     scanning RAR files in downstream projects that use     libclamav where the scanning engine is operating in a     low-privilege process. This bug was originally fixed in     0.101.2 and the fix was mistakenly omitted from 0.102.0.

  - Fixed an issue where freshclam failed to update if the     database version downloaded is one version older than     advertised. This situation may occur after a new     database version is published. The issue affected users     downloading the whole CVD database file.

  - Changed the default freshclam ReceiveTimeout setting to     0 (infinite). The ReceiveTimeout had caused needless     database update failures for users with slower internet     connections.

  - Correctly display the number of kilobytes (KiB) in     progress bar and reduced the size of the progress bar to     accommodate 80-character width terminals.

  - Fixed an issue where running freshclam manually causes a     daemonized freshclam process to fail when it updates     because the manual instance deletes the temporary     download directory. The freshclam temporary files will     now download to a unique directory created at the time     of an update instead of using a hardcoded directory     created/destroyed at the program start/exit.

  - Fix for freshclam's OnOutdatedExecute config option.

  - Fixes a memory leak in the error condition handling for     the email parser.

  - Improved bound checking and error handling in ARJ     archive parser.

  - Improved error handling in PDF parser.

  - Fix for memory leak in byte-compare signature handler.

  - The freshclam.service should not be started before the     network is online (it checks for updates immediately     upon service start)

Update to 0.102.1 :

  - CVE-2019-15961, bsc#1157763: A Denial-of-Service (DoS)     vulnerability may occur when scanning a specially     crafted email file as a result of excessively long scan     times. The issue is resolved by implementing several     maximums in parsing MIME messages and by optimizing use     of memory allocation.

  - Build system fixes to build clamav-milter, to correctly     link with libxml2 when detected, and to correctly detect     fanotify for on-access scanning feature support.

  - Signature load time is significantly reduced by changing     to a more efficient algorithm for loading signature     patterns and allocating the AC trie. Patch courtesy of     Alberto Wu.

  - Introduced a new configure option to statically link     libjson-c with libclamav. Static linking with libjson is     highly recommended to prevent crashes in applications     that use libclamav alongside another JSON parsing     library.

  - Null-dereference fix in email parser when using the

    --gen-json metadata option.

  - Fixes for Authenticode parsing and certificate signature     (.crb database) bugs.

Update to 0.102.0 :

  - The On-Access Scanning feature has been migrated out of     clamd and into a brand new utility named clamonacc. This     utility is similar to clamdscan and clamav-milter in     that it acts as a client to clamd. This separation from     clamd means that clamd no longer needs to run with root     privileges while scanning potentially malicious files.
    Instead, clamd may drop privileges to run under an     account that does not have super-user. In addition to     improving the security posture of running clamd with     On-Access enabled, this update fixed a few outstanding     defects :

  - On-Access scanning for created and moved files     (Extra-Scanning) is fixed.

  - VirusEvent for On-Access scans is fixed.

  - With clamonacc, it is now possible to copy, move, or     remove a file if the scan triggered an alert, just like     with clamdscan.

  - The freshclam database update utility has undergone a     significant update. This includes :

  - Added support for HTTPS.

  - Support for database mirrors hosted on ports other than     80.

  - Removal of the mirror management feature (mirrors.dat).

  - An all new libfreshclam library API.

  - created new subpackage libfreshclam2

Update to 0.101.4 :

  - CVE-2019-12900: An out of bounds write in the NSIS bzip2     (bsc#1149458)

  - CVE-2019-12625: Introduce a configurable time limit to     mitigate zip bomb vulnerability completely. Default is 2     minutes, configurable useing the clamscan --max-scantime     and for clamd using the MaxScanTime config option     (bsc#1144504)

Update to version 0.101.3 :

  - bsc#1144504: ZIP bomb causes extreme CPU spikes

Update to version 0.101.2 (bsc#1130721)

  - CVE-2019-1787: An out-of-bounds heap read condition may     occur when scanning PDF documents. The defect is a     failure to correctly keep track of the number of bytes     remaining in a buffer when indexing file data.

  - CVE-2019-1789: An out-of-bounds heap read condition may     occur when scanning PE files (i.e. Windows EXE and DLL     files) that have been packed using Aspack as a result of     inadequate bound-checking.

  - CVE-2019-1788: An out-of-bounds heap write condition may     occur when scanning OLE2 files such as Microsoft Office     97-2003 documents. The invalid write happens when an     invalid pointer is mistakenly used to initialize a 32bit     integer to zero. This is likely to crash the     application.

  - CVE-2019-1786: An out-of-bounds heap read condition may     occur when scanning malformed PDF documents as a result     of improper bounds-checking.

  - CVE-2019-1785: A path-traversal write condition may     occur as a result of improper input validation when     scanning RAR archives.

  - CVE-2019-1798: A use-after-free condition may occur as a     result of improper error handling when scanning nested     RAR archives.

This update was imported from the SUSE:SLE-15:Update update project.

This update for clamav fixes the following issues :

clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.

clamd can now reload the signature database without blocking scanning.
This multi-threaded database reload improvement was made possible thanks to a community effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

Fix clamav-milter.service (requires clamd.service to run)

bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.

Partial sync with SLE15.

Update to version 0.102.4

Accumulated security fixes :

CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. (bsc#1174255)

CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition.
Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. (bsc#1174250)

CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash.
(bsc#1171981)

CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.

CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. (bsc#1157763).

CVE-2019-12900: An out of bounds write in the NSIS bzip2 (bsc#1149458)

CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime config option (bsc#1144504)

Update to version 0.101.3 :

ZIP bomb causes extreme CPU spikes (bsc#1144504)

Update to version 0.101.2 (bsc#1118459) :

Support for RAR v5 archive extraction.

Incompatible changes to the arguments of cl_scandesc, cl_scandesc_callback, and cl_scanmap_callback.

Scanning options have been converted from a single flag bit-field into a structure of multiple categorized flag bit-fields.

The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by 2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and CL_SCAN_HEURISTIC_ENCRYPTED_DOC

Incompatible clamd.conf and command line interface changes.

Heuristic Alerts' (aka 'Algorithmic Detection') options have been changed to make the names more consistent. The original options are deprecated in 0.101, and will be removed in a future feature release.

For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for clamav fixes the following issues :

clamav was updated to the new major release 0.103.0.
(jsc#ECO-3010,bsc#1118459)

Note that libclamav was changed incompatible, if you have a 3rd party application that uses libclamav, it needs to be rebuilt.

Update to 0.103.0

clamd can now reload the signature database without blocking scanning.
This multi-threaded database reload improvement was made possible thanks to a community effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

  - Fix clamav-milter.service (requires clamd.service to     run)

Update to 0.102.4

  - CVE-2020-3350: Fix a vulnerability wherein a malicious     user could replace a scan target's directory with a     symlink to another path to trick clamscan, clamdscan, or     clamonacc into removing or moving a different file (eg.
    a critical system file). The issue would affect users     that use the --move or --remove options for clamscan,     clamdscan, and clamonacc.

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.3 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking results in an out-of-bounds read which could     cause a crash. The previous fix for this CVE in 0.102.3     was incomplete. This fix correctly resolves the issue.

  - CVE-2020-3481: Fix a vulnerability in the EGG archive     module in ClamAV 0.102.0 - 0.102.3 could cause a     Denial-of-Service (DoS) condition. Improper error     handling may result in a crash due to a NULL pointer     dereference. This vulnerability is mitigated for those     using the official ClamAV signature databases because     the file type signatures in daily.cvd will not enable     the EGG archive parser in versions affected by the     vulnerability.

Update to 0.102.3

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking of an unsigned variable results in an     out-of-bounds read which causes a crash.

  - CVE-2020-3341: Fix a vulnerability in the PDF parsing     module in ClamAV 0.101 - 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper size     checking of a buffer used to initialize AES decryption     routines results in an out-of-bounds read which may     cause a crash.

  - Fix 'Attempt to allocate 0 bytes' error when parsing     some PDF documents.

  - Fix a couple of minor memory leaks.

  - Updated libclamunrar to UnRAR 5.9.2.

Update to 0.102.2 :

  - CVE-2020-3123: A denial-of-service (DoS) condition may     occur when using the optional credit card     data-loss-prevention (DLP) feature. Improper bounds     checking of an unsigned variable resulted in an     out-of-bounds read, which causes a crash.

  - Significantly improved the scan speed of PDF files on     Windows.

  - Re-applied a fix to alleviate file access issues when     scanning RAR files in downstream projects that use     libclamav where the scanning engine is operating in a     low-privilege process. This bug was originally fixed in     0.101.2 and the fix was mistakenly omitted from 0.102.0.

  - Fixed an issue where freshclam failed to update if the     database version downloaded is one version older than     advertised. This situation may occur after a new     database version is published. The issue affected users     downloading the whole CVD database file.

  - Changed the default freshclam ReceiveTimeout setting to     0 (infinite). The ReceiveTimeout had caused needless     database update failures for users with slower internet     connections.

  - Correctly display the number of kilobytes (KiB) in     progress bar and reduced the size of the progress bar to     accommodate 80-character width terminals.

  - Fixed an issue where running freshclam manually causes a     daemonized freshclam process to fail when it updates     because the manual instance deletes the temporary     download directory. The freshclam temporary files will     now download to a unique directory created at the time     of an update instead of using a hard-coded directory     created/destroyed at the program start/exit.

  - Fix for freshclam's OnOutdatedExecute config option.

  - Fixes a memory leak in the error condition handling for     the email parser.

  - Improved bound checking and error handling in ARJ     archive parser.

  - Improved error handling in PDF parser.

  - Fix for memory leak in byte-compare signature handler.

The freshclam.service should not be started before the network is online (it checks for updates immediately upon service start)

Update to 0.102.1 :

  - CVE-2019-15961, bsc#1157763: A Denial-of-Service (DoS)     vulnerability may occur when scanning a specially     crafted email file as a result of excessively long scan     times. The issue is resolved by implementing several     maximums in parsing MIME messages and by optimizing use     of memory allocation.

  - Build system fixes to build clamav-milter, to correctly     link with libxml2 when detected, and to correctly detect     fanotify for on-access scanning feature support.

  - Signature load time is significantly reduced by changing     to a more efficient algorithm for loading signature     patterns and allocating the AC trie. Patch courtesy of     Alberto Wu.

  - Introduced a new configure option to statically link     libjson-c with libclamav. Static linking with libjson is     highly recommended to prevent crashes in applications     that use libclamav alongside another JSON parsing     library.

  - Null-dereference fix in email parser when using the

    --gen-json metadata option.

  - Fixes for Authenticode parsing and certificate signature     (.crb database) bugs.

Update to 0.102.0 :

  - The On-Access Scanning feature has been migrated out of     clamd and into a brand new utility named clamonacc. This     utility is similar to clamdscan and clamav-milter in     that it acts as a client to clamd. This separation from     clamd means that clamd no longer needs to run with root     privileges while scanning potentially malicious files.
    Instead, clamd may drop privileges to run under an     account that does not have super-user. In addition to     improving the security posture of running clamd with     On-Access enabled, this update fixed a few outstanding     defects :

  - On-Access scanning for created and moved files     (Extra-Scanning) is fixed.

  - VirusEvent for On-Access scans is fixed.

  - With clamonacc, it is now possible to copy, move, or     remove a file if the scan triggered an alert, just like     with clamdscan.

  - The freshclam database update utility has undergone a     significant update. This includes :

  - Added support for HTTPS.

  - Support for database mirrors hosted on ports other than     80.

  - Removal of the mirror management feature (mirrors.dat).

  - An all new libfreshclam library API. created new     subpackage libfreshclam2

Update to 0.101.4 :

  - CVE-2019-12900: An out of bounds write in the NSIS bzip2     (bsc#1149458)

  - CVE-2019-12625: Introduce a configurable time limit to     mitigate zip bomb vulnerability completely. Default is 2     minutes, configurable useing the clamscan --max-scantime     and for clamd using the MaxScanTime config option     (bsc#1144504)

Update to version 0.101.3 :

  - bsc#1144504: ZIP bomb causes extreme CPU spikes

Update to version 0.101.2 (bsc#1130721)

  - CVE-2019-1787: An out-of-bounds heap read condition may     occur when scanning PDF documents. The defect is a     failure to correctly keep track of the number of bytes     remaining in a buffer when indexing file data.

  - CVE-2019-1789: An out-of-bounds heap read condition may     occur when scanning PE files (i.e. Windows EXE and DLL     files) that have been packed using Aspack as a result of     inadequate bound-checking.

  - CVE-2019-1788: An out-of-bounds heap write condition may     occur when scanning OLE2 files such as Microsoft Office     97-2003 documents. The invalid write happens when an     invalid pointer is mistakenly used to initialize a 32bit     integer to zero. This is likely to crash the     application.

  - CVE-2019-1786: An out-of-bounds heap read condition may     occur when scanning malformed PDF documents as a result     of improper bounds-checking.

  - CVE-2019-1785: A path-traversal write condition may     occur as a result of improper input validation when     scanning RAR archives.

  - CVE-2019-1798: A use-after-free condition may occur as a     result of improper error handling when scanning nested     RAR archives.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for clamav fixes the following issues :

clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.

clamd can now reload the signature database without blocking scanning.
This multi-threaded database reload improvement was made possible thanks to a community effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

Fix clamav-milter.service (requires clamd.service to run)

Fix freshclam crash in FIPS mode. (bsc#1119353)

Update to version 0.102.4 :

Accumulated security fixes :

CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. (bsc#1174255)

CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition.
Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. (bsc#1174250)

CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash.
(bsc#1171981)

CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.

CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. (bsc#1157763).

CVE-2019-12900: An out of bounds write in the NSIS bzip2 (bsc#1149458)

CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime config option (bsc#1144504)

Increase the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed. (bsc#1151839)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for clamav fixes the following issues :

Security issue fixed :

  - CVE-2019-12625: Fixed a ZIP bomb issue by adding     detection and heuristics for zips with overlapping files     (bsc#1144504).

  - CVE-2019-12900: Fixed an out-of-bounds write in     decompress.c with many selectors (bsc#1149458).

Non-security issues fixed :

  - Added the --max-scantime clamscan option and MaxScanTime     clamd configuration option (bsc#1144504).

  - Increased the startup timeout of clamd to 5 minutes to     cater for the grown virus database as a workaround until     clamd has learned to talk to systemd to extend the     timeout as long as needed (bsc#1151839).

This update was imported from the SUSE:SLE-15:Update update project.

This update for clamav fixes the following issues :

Security issue fixed :

CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504).

CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458).

Non-security issues fixed: Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504).

Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The update of clamav released as DLA 1953-1 led to permission issues on /var/run/clamav. This caused several users to experience issues restarting the clamav daemon. This regression is caused by a mistakenly backported patch from the stretch package, upon which this update was based.

For Debian 8 'Jessie', this problem has been fixed in version 0.101.4+dfsg-0+deb8u2.

We recommend that you upgrade your clamav packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that ClamAV incorrectly handled unpacking ZIP files.
A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2019-12625)

It was discovered that ClamAV incorrectly handled unpacking bzip2 files. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-12900).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ClamAV 0.101.4 is a security patch release that addresses the following issues.

  - An out of bounds write was possible within ClamAV's NSIS     bzip2 library when attempting decompression in cases     where the number of selectors exceeded the max limit set     by the library (CVE-2019-12900). The issue has been     resolved by respecting that limit.

    Thanks to Martin Simmons for reporting the issue here.

  - The zip bomb vulnerability mitigated in 0.101.3 has been     assigned the CVE identifier CVE-2019-12625.
    Unfortunately, a workaround for the zip-bomb mitigation     was immediately identified. To remediate the zip-bomb     scan time issue, a scan time limit has been introduced     in 0.101.4. This limit now resolves ClamAV's     vulnerability to CVE-2019-12625.

    The default scan time limit is 2 minutes (120000     milliseconds).

    To customize the time limit :

  - use the clamscan --max-scantime option

  - use the clamd MaxScanTime config option

    Libclamav users may customize the time limit using the     cl_engine_set_num function. For example :

    C cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME,     time_limit_milliseconds)

    Thanks to David Fifield for reviewing the zip-bomb     mitigation in 0.101.3 and reporting the issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Micah Snyder reports :

- An out of bounds write was possible within ClamAV&s NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900).
The issue has been resolved by respecting that limit.

- The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625.

ID	Name	Product	Family	Severity
145338	openSUSE Security Update : clamav (openSUSE-2020-2268)	Nessus	SuSE Local Security Checks	high
145307	openSUSE Security Update : clamav (openSUSE-2020-2276)	Nessus	SuSE Local Security Checks	high
144579	SUSE SLES12 Security Update : clamav (SUSE-SU-2020:3918-1)	Nessus	SuSE Local Security Checks	high
144237	SUSE SLED15 / SLES15 Security Update : clamav (SUSE-SU-2020:3790-1)	Nessus	SuSE Local Security Checks	high
143705	SUSE SLES12 Security Update : clamav (SUSE-SU-2020:3729-1)	Nessus	SuSE Local Security Checks	high
131540	openSUSE Security Update : clamav (openSUSE-2019-2597)	Nessus	SuSE Local Security Checks	high
131538	openSUSE Security Update : clamav (openSUSE-2019-2595)	Nessus	SuSE Local Security Checks	high
131385	SUSE SLED12 / SLES12 Security Update : clamav (SUSE-SU-2019:3066-1)	Nessus	SuSE Local Security Checks	high
131305	SUSE SLED15 / SLES15 Security Update : clamav (SUSE-SU-2019:3053-1)	Nessus	SuSE Local Security Checks	high
129799	Debian DLA-1953-2 : clamav regression update	Nessus	Debian Local Security Checks	high
129556	Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : clamav vulnerabilities (USN-4146-1)	Nessus	Ubuntu Local Security Checks	high
128437	Fedora 29 : clamav (2019-aabcb53ec6)	Nessus	Fedora Local Security Checks	high
128137	FreeBSD : clamav -- multiple vulnerabilities (dbd1f627-c43b-11e9-a923-9c5c8e75236a)	Nessus	FreeBSD Local Security Checks	high
128132	Fedora 30 : clamav (2019-5c2dc50262)	Nessus	Fedora Local Security Checks	high

CVE-2019-12625

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high